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Recent advances in microelectronics technology have stimulated 
an unprecedented growth in the supply of telecommunications and 
information processing services within the government and 
throughout the private sector. As new technologies have been 
applied, traditional distinctions between telecommunications 
and automated information systems have begun to disappear. 
Although this trend promises greatly improved efficiency and 
effectiveness, it also poses significant security challenges. 
Telecommunications and automated information processing systems 
are highly susceptible to interception, unauthorized electronic 
access, and related forms of technical exploitation, as well as 
other dimensions of the hostile intelligence threat. The 
technology to exploit these electronic systems is widespread 
and is used extensively by foreign nations and can be employed, 
as well, by terrorist groups and criminal elements. Government 
systems as well as those which process the private or 
proprietary information of US persons and businesses can become 
targets for foreign exploitation. (U) 


Within the government these systems process and communicate 
classified national security information and other sensitive 
information concerning the vital interests of the United 
States. Such information, even if unclassified in isolation, 
often can reveal highly classified and other sensitive 
information when taken in aggregate. The compromise of this 
information, especially to hostile intelligence services, does 
serious damage to the United States and its national security 
interests. A comprehensive and coordinated approach must be 
taken to protect the government's telecommunications and 
automated information, systems against current and projected 
threats. This approach must include mechanisms for formulating 
policy, for overseeing systems security resources programs, and 
for coordinating and executing technical activities. (U) 


This Directive: Provides initial objectives, policies, and an 

organizational structure to guide the conduct of national 
activities directed toward safeguarding systems which process 
or communica te sensitive information from hostile exploitation; 
establishes a mechanism for policy development; and assigns 
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responsibilities for implementation. It is intended to assure 
full participation and cooperation among the various existing 
centers of technical expertise throughout the Executive Branch, 
to promote a coherent and coordinated defense against the 
hostile intelligence threat to these systems, and to foster an 
appropriate partnership between government and the private 
sector in attaining these goals. This Directive specifically 
recognizes the special requirements for protection of 
intelligence sources and methods. It is intended that the 
mechanisms established by this Directive will initially focus 
on those automated information systems which are connected to 
telecommunications transmission systems. (U) 


1. Objectives . Security is a vital element of the 
operational effectiveness of the national security activities 
of the government and of military combat readiness. Assuring 
the security of telecommunications and automated information 
systems which process and communicate classified national 
security information, and other sensitive government national 
security information, and offering assistance in the protection 
of certain private sector information are key national 
responsibilities. I, therefore, direct that the government's 
capabilities for securing telecommunications and automated 
information systems against technical exploitation threats be 
maintained or improved to provide for: 


a. A reliable and continuing capability to assess 
threats and vulnerabilities, and to implement appropriate, 
effective countermeasures. 


b. A superior technical base within the government 
to achieve this security, and support for a superior technical 
base within the private sector in areas which complement and 
enhance government capabilities. 

c. A more effective application of government 
resources and encouragement of private sector security initia- 
tives. 

d. Support and enhancement of other policy objec- 
tives for national telecommunications and automated information 
systems. (U) 

2. Policies . In support of these objectives, the 
following policies are established: 

a. Systems which generate, store, process, transfer 
or communicate classified information in electrical form shall 
be secured by such means as are necessary to prevent compromise 
or exploitation. 

b. Systems handling other sensitive, but unclassi- 
fied, government or government-derived information, the loss of 
which could adversely affect the national security interest, 
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shall be protected in proportion to the threat of exploitation 
and the associated potential damage to the national security. 

c. The government shall encourage, advise, and, 

where appropriate, assist the private sector to: identify 

systems which handle sensitive non-government information, the 
loss of which could adversely affect the national security; 
determine the threat to, and vulnerability of, these systems; 
and formulate strategies and measures for providing protection 
in proportion to the threat of exploitation and the associated 
potential damage. Information and advice from the perspective 
of the private sector will be sought with respect to 
implementation of this policy. In cases where implementation 
of security measures to non-governmental systems would be in 
the national security interest, the private sector shall be 
encouraged, advised, and, where appropriate, assisted in under- 
taking the application of such measures. 

d. Efforts and programs begun under PD-24 which 
support these policies shall be continued. (U) 

3. Implementation . This Directive establishes a senior 
level steering group; an interagency group at the operating 
level; an executive agent and a national manager to implement 
these objectives and policies. (U) 

4 . Systems Security Steering Group . 

a. A Systems Security Steering Group consisting 
of the Secretary of State, the Secretary of the Treasury, the 
Secretary of Defense, the Attorney General, the Director of 
the Office of Management and Budget, the Director of Central 
Intelligence, and chaired by the Assistant to the President for 
National Security Affairs is established. The Steering Group 
shall: 

(1) Oversee this Directive and ensure its 
implementation. It shall provide guidance to the Executive 
Agent and through him to the National Manager with respect to 
the activities undertaken to implement this Directive. 

(2) Monitor the activities of the operating 
level National Telecommunications and Information Systems 
Security Committee and provide guidance for its activities in . 
accordance with the objectives and policies contained in this 
Directive. 


(3) Review and evaluate the security status of 
those telecommunications and automated information systems that 
handle classified or sensitive government or government-derived 
information with respect to established objectives and 
priorities, and report findings and recommendations through the 
National Security Council to the President. 
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(4) Review consolidated resources program and 
budget proposals for telecommunications systems security, 
including the COMSEC Resources Program, for the US Government 
and provide recommendations to OflB for the normal budget review 
process . 

(5) Review in aggregate the program and budget 
proposals for the security of automated information systems of 
the departments and agencies of the government. 

(6) Review and approve matters referred to it 
by the Executive Agent in fulfilling the responsibilities 
outlined in paragraph 6. below. 

(7) On matters pertaining to the protection of 
intelligence sources and methods be guided by the policies of 
the Director of Central Intelligence. 

(8) Interact with the Steering Group on 
National Security Telecommunications to ensure that the 
objectives and policies of this Directive and NSDD-97, National 
Security Telecommunications Policy, are addressed in a 
coordinated manner. 

(9) Recommend for Presidential approval addi- 
tions or revisions to this Directive as national interests may 
require . 


(10) Identify categories of sensitive 
non-government information, the loss of which could adversely 
affect the national security interest, and recommend steps to 
protect such information. (U) 

b. .The National Manager for Telecommunications and 
Information Systems Security shall function as executive 
secretary to the Steering Group. ’ (U) 

5 . The National Telecommunications and Information 
Systems Security Committee^ 

a. The National Telecommunications and Information 
Systems Security Committee (NTISSC) is established to operate 
under the direction of the Steering Group to consider technical 
matters and develop operating policies as necessary to imple- ‘ 
ment the provisions of this Directive. The Committee shall be 
chaired by the Assistant Secretary of Defense (Command, Control, 
Communications and Intelligence) and shall be composed of a 
voting representative of each member of the Steering Group and 
of each of the following: 

The Secretary of Commerce 

The Secretary of Transportation 

The Secretary of Energy 
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Chairman, Joint Chiefs of Staff 

Administrator, General Services Administration 

Director, Federal Bureau of Investigation 

Director, Federal Emergency Management Agency 

The Chief of Staff, United States Army 

The Chief of Naval Operations 

The Chief of Staff, United States Air Force 

Commandant, United States Marine Corps 

Director, Defense Intelligence Agency 

Director, National Security Agency 

Manager, National Communications System (U) 

b. The Committee shall: 


(1) Develop such specific operating policies, 
objectives, and priorities as may be required to implement thi 
Directive . 


(2) Provide telecommunication and automated 
information systems security guidance to the departments and 
agencies of the government. 

(3) Submit annually to the Steering Group an 
evaluation of the status of national telecommunications and 
automated information systems security with respect to estab- 
lished objectives and priorities. 

(4) Identify systems which handle sensitive, 
non-governn.ent information, the loss and exploitation of which 
could adversely affect the national security interest, for the 
purpose of encouraging, advising and, where appropriate, 
assisting the private sector in applying security measures. 


(5) Approve the release of sensitive systems 
technical security material, information, and techniques to 
foreign governments or international organizations with the 
concurrence of the Director of Central Intelligence for those 
activities which he manages. 

(6) Establish and maintain a national system 
for promulgating the operating policies, directives, and 
guidance which may be issued pursuant to this Directive. 

(7) Establish permanent and temporary subcom- 
mittees as necessary to discharge its responsibilities. 


(8) Make recommendations to the Steering Group 
on Committee membership and establish criteria and procedures 
for permanent observers from other departrr.ents or agencies 
affected by specific matters under deliberation, who may attend 
meetings upon invitation of the Chairman. 


(9) Interact with the National Communications 
System Committee of Principals established by Executive Order 
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12472 to ensure the coordinated execution of assigned responsi- 
bilities. (U) 


c. The Committee shall have two subcommittees , one 
focusing on telecommunications security and one focusing on 
automated information systems security. The two subcommittees 
shall interact closely and any recommendations concerning 
implerr.entation of protective measures shall combine and coordi- 
nate both areas where appropriate, while considering any 
differences in the level of maturity of the technologies to 
support such implementation. However, the level of maturity of 
one technology shall not impede implementation in other areas 
which are deemed feasible and important. (U) 


d. The Committee shall have a permanent secretariat 
composed of personnel of the National Security Agency and such 
other personnel from departments and agencies represented on 
the Committee as are requested by the Chairman. The National 
Security Agency shall provide facilities and support as 
required. Other departments and agencies shall provide 
facilities and support as requested by the Chairman. (U) 


6 . The Executive Agent of the Government for 
Telecommunications and Information Systems Security . The 
Secretary of Defense is the Executive Agent of the Government 
for Communications Security under authority of Executive 
Order 12333. By authority of this Directive he shall serve an 
expanded role as Executive Agent of the Government for 
Telecommunications and Automated Information Systems Security 
and shall be responsible for implementing, under his signature, 
the policies developed by the NTISSC. In this capacity he 
shall act in accordance with policies and procedures 
established by the Steering Group and the NTISSC to: 


a. Ensure the development, in conjunction with 
NTISSC member departments and agencies, of plans and programs 
to fulfill the objectives of this Directive, including the 
development of necessary security architectures. 

b. Procure for and provide to departments and 
agencies of the government and, where appropriate, to private 
institutions (including government contractors) and foreign 
governments , technical security material, other technical 
assistance, and other related services of common concern, as 
required to accomplish the objectives of this Directive. 


c. Approve and provide minimum security standards 
and doctrine, consistent with provisions of the Directive. 

d. Conduct, approve, or endorse research and 
development of techniques and equipment for telecommunications 
and automated information systems security for national 
security information. 
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e. Operate, or coordinate the efforts of, govern- 
ment technical centers related to telecommunications and 
automated information systems security. 

f. Review and assess for the Steering Group the 
proposed telecommunications systems security programs and' 
budgets for the departments and agencies of the government for 
each fiscal year and recommend alternatives, where appropriate. 
The views of all affected departments and agencies shall be 
fully expressed to the Steering Group. 

g. Review for the Steering Group the aggregated 
automated information systems security program and budget 
recommendations of the departments and agencies of the US 
Government for each fiscal year. (U) 

7 . The National Manager for Telecommunications Security 
and Automated Information Systems Security . The Director, 
National Security Agency is designated the National Manager for 
Telecommunications and Automated Information Systems Security 
and is responsible to the Secretary of Defense as Executive 
Agent for carrying out the foregoing responsibilities. In 
fulfilling these responsibilities the National Manager shall 
have authority in the name of the Executive Agent to: 

a. Examine government telecommunications systems 
and automated information systems and evaluate their vulner- 
ability to hostile interception and exploitation. Any such 
activities, including those involving monitoring of official 
telecommunications, shall be conducted in strict compliance 
with law. Executive Orders and applicable Presidential 
Directives. No monitoring shall be performed without advising 
the heads of the agencies, departments, or services concerned. 

b. Act as the government focal point for cryptog- 
raphy, telecommunications systems security, and automated 
information systems security. 

c. Conduct, approve, or endorse research and 
development of techniques and equipment for telecommunications 
and automated information systems security for national 
security information. 

d. Review and approve all standards, techniques, 
systems and equipments for telecommunications and automated 
information systems security. 

e. Conduct foreign communications security liaison, 
including agreements with foreign governments and with 
international and private organizations for telecommunications 
and automated information systems security, except for those 
foreign intelligence relationships conducted for intelligence 
purposes by the Director of Central Intelligence. Agreements 
shall be coordinated with affected departments and agencies. 
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f. Operate such printing and fabrication facilities 
as may be required to perform critical functions related to the 
provision of cryptographic and other technical security 
material or services. 


g. Assess the overall security posture and 
disseminate information on hostile threats to tele- 
communications and automated information systems security. 

h. Operate a central technical center to evaluate 
and certify the security of telecommunications systems and 
automated information systems. 

i. Prescribe the minimum standards, methods and 
procedures for protecting cryptographic and other sensitive 
technical security material, techniques, and information. 

j. Review and assess annually the 
telecommunications systems security programs and budgets of the 
departments and agencies of the government, and recommend 
alternatives, where appropriate, for the Executive Agent and 
the Steering Group. 

k. Review annually the aggregated automated 
information systems security program and budget recommendations 
of the departments and agencies of the US Government for the 
Executive Agent and the Steering Group. 

l. Request from the heads of departments and 
agencies such information and technical support as may be 
needed to discharge the responsibilities assigned herein. 

m. Enter into agreements for the procurement of 
technical security material and other equipment, and their 
provision to government agencies and, where appropriate, to 
private organizations, including government contractors, and 
foreign governments. (U) 

8 . The Heads of Federal Departments and Agencies shall; 


% 


a. Be responsible for achieving and maintaining a 
secure posture for telecommunications and automated information 
systems within their departments or agencies. 

b. Ensure that the policies, standards and 
doctrines issued pursuant to this Directive are implemented 
within their departments or agencies. 

c. Provide to the Systems Security Steering Group, 
the NTISSC , Executive Agent, and the National Manager, as 
appropriate, such information as may be required to discharge 
responsibilities assigned herein, consistent with relevant law. 
Executive Order, and Presidential Directives. (U) 
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9. Additional Responsibilities. 


a. The Secretary of Commerce, through the Director, 
National Bureau of Standards, shall issue for public use such 
Federal Information Processing Standards for the security of 
information in automated information systems as the Steering 
Group may approve. The Manager, National Communications 
System, through the Administrator, General Services 
Administration, shall develop and issue for public use such 
Federal Telecommunications Standards for the security of 
information in telecommunications systems as the National 
Manager may approve. Such standards, while legally applicable 
only to Federal Departments and Agencies, shall be structured 
to facilitate their adoption as voluntary American National 
Standards as a means of encouraging their use by the private 
sector . 


shall : 


b. The Director, Office of Management and Budget, 


(1) Specify data to be provided during the 
annual budget review by the departments and agencies on 
programs and budgets relating to telecommunications systems 
security and automated information systems security of the 
departments and agencies of the government. 

(2) Consolidate and provide such data to the 
National Manager via the Executive Agent. 

(3) Review for consistency with this 
Directive, and amend as appropriate, OMB Circular A-71 
(Transmittal Memorandum No. 1), OMB Circular A-76, as amended, 
and other OMB policies and regulations which may pertain to the 
subject matter herein. (U) 

10. Nothing in this Directive: 

a. Alters the existing authorities of the Director 
of Central Intelligence, including his responsibility to act as 
Executive Agent of the Government for technical security 
countermeasures (TSCM) . 

b. Provides the NTISSC, the Executive Agent, or the 
National Manager authority to examine the facilities of other 
departments and agencies without approval of the head of such 
department or agency, nor to request or collect information 
concerning their operation for any purpose not provided for 
herein . 


c. Amends or contravenes the provisions of existing 
law. Executive Orders, or Presidential Directives which pertain 
to the privacy aspects or financial management of automated 
information systems or to the administrative requirements for 
safeguarding such resources against fraud, abuse, and waste. 
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d. Is intended to establish additional review 
processes for the procurement of automated information 
processing systems. (U) 

11. For the purposes of this Directive, the following 
terms shall have the meanings indicated: 

a. Telecommuni cat ions means the preparation, 
transmission, communication or related processing of informa- 
tion by electrical, electromagnetic, elec tromechnical , or 
electro-optical means. 

b. Automated Information Sys t ems means systems 
which create, prepare, or manipulate information in electronic 
form for purposes other than telecommunication , and includes 
computers, word processing systems, other electronic informa- 
tion handling systems, and associated equipment. 

c . Telecommunication s and Automated Informa t i o n 
S ystems Se curity means protection afforded to telecommunica- 
tions arid automated information systems, in order to prevent 
exploitation through interception, unauthorized electronic 
access, or related technical intelligence threats, and to 
ensure authenticity. Such protection results from the applica- 
tion of security measures (including cryptosecurity, trans- 
mission security, emission security, and computer security) to 
systems which generate, store, process, transfer, or 
communicate information of use to an adversary, and also 
includes the physical protection of sensitive technical 
security material and sensitive technical security information. 


d. Techni cal security material means equipment, 
components, devices, and associated documentation or other 
media which pertain to cryptography, or to the securing of 
telecommunications and automated information systems. (U) 



13. The functions of the Interagency Group for 
Telecommunica t ions Protection and the National Communications 



Security Committee (NCSC) as established under FD-24 are 
subsumed by the Systems Security Steering Group and the NTISSC, 
respectively. The policies established under the authority of 
the Interagency Group or the NCSC, which have not been 
superseded by this Directive, shall remain in effect until 
modified or rescinded by the Steering Group or the NTISSC., 
respectively. (U) 

14. Except for ongoing telecommunications protection 
activities mandated by and pursuant to PD/NSC-24, that Direc- 
tive is hereby superseded and cancelled. (U) 


CONFIDENTIAL 

» V c* Vi. wi r il 2. 




